GDPR and Cybersecurity:

Compliance beyond Encryption

With the spectre of the General Data Protection Regulation (GDPR) looming, businesses across Europe are scrambling to ensure they are compliant before it comes into effect on 25th May. But this isn’t a law that can simply be adhered to with the right software, as Lucy Ingham finds out from Becrypt CEO Dr Bernard Parsons

On the 25th May this year, the EU’s General Data Protection Regulation (GDPR) will come into effect, introducing comprehensive data protection across Europe. Businesses large and small across the continent need to comply, and while many have already taken all the steps necessary, others still have a long way to go.

One of the biggest issues with this wide-reaching regulation is that it is not simply about a particular technology or method, which means businesses cannot just take a tick-box approach to compliance with an off-the-shelf product.

“GDPR and the impact on business is much, much broader than just the technical controls, such as encryption, and I think it always helps to remember that,” says Dr Bernard Parsons, CEO and co-founder of Becrypt, a company that offers a host of security solutions, particularly around encryption, to SMEs, large corporations and government entities.

“It does require some thinking: you don’t need to be experts, some of it is commonsense. It requires you to think sensibly about the information you're holding, why you're holding it and what you're doing with it.”

Non-prescriptive regulation: a blessing and a curse

The lack of prescription in GDPR makes the regulation relatively notable, with the lack of requirement for specific technical controls described by Parsons as “both a good thing and a bad thing”.

On one hand, it can leave organisations floundering, with a lack of easy solutions making it difficult for them to comply.

“It can leave organisations saying 'well, I don't get it. I'm supposed to protect my data, I'm supposed to think about privacy, but what are the tools, what specifically do I need to do?'” summarises Parsons.

However, this approach also has its benefits, as it ensures that businesses are truly engaging with data protection rather than making a token effort.

“If you do implement a compliance regime that is overly prescriptive, then it can become a tick-box exercise for those that need to comply,” he says.

“If you do implement a compliance regime that is overly prescriptive, then it can become a tick-box exercise for those that need to comply.”

This, Parsons argues, has been the problem with previous legislation in this space, such as the Payment Card Industry Data Security Standard (PCI).

“PCI – ok, it has come a long way and I think the industry that needs to adhere to PCI has matured a lot – but there is strong evidence historically that it was just taken on board as a tick-box exercise, so there are certain controls that are specified within this regime, and if I can tick that box then I don't need to worry about anything else.”

And while businesses may sometimes feel that box-ticking is an acceptable approach to security, this attitude has played a role in some of the most concerning cybersecurity breaches in recent years.

“There are examples of organisations that suffer data breaches that really they shouldn't have suffered,” says Parsons. “They should have had more mature controls in place and a more mature culture in place than they were shown to have, and the reason for that was that that tick-box compliance sets the bar and people don't bother thinking beyond that.”

Re-thinking data processes: The opportunity of GDPR

GDPR, then, is a chance for businesses to reevaluate their data practices, something which those following cybersecurity best practices have likely already done.

“GDPR is an opportunity for businesses to take a step back and think about what data they have and they hold, why they hold it, what those processes are around the data, before they start thinking about protecting it, because there is an onus to think about proportionality and being able to justify the nature or quantity of data that you are holding,” says Parsons.

In particular, the regulation encourages an attitude around cybersecurity that professionals have been encouraging for years, but which many businesses remain reluctant to embrace. Yet in doing so, they may find themselves not only in a more secure position, but may see operational efficiencies too.

“GDPR is an opportunity for businesses to take a step back and think about what data they have and they hold it, what those processes are around the data, before they have start thinking about protecting it.”

“It's about business processes: it's about ensuring that there is an appropriate risk management culture and risk management processes within your organisation, whether large or small,” he says. “And that can have very, I think, positive consequences to businesses.

“Obviously you're reducing the risk to the business when you start to think in that way, but also very often – and this an the experience we had going through our GDPR readiness ourselves – is that when you start to look at your processes and look at how you're holding information, how you're using it, that can uncover opportunities for efficiency, bringing new efficiencies into the business and its processes.”

Reflecting on Becrypt’s own efforts to become GDPR ready, Parsons recommends businesses not only look at the UK government’s Cyber Essentials scheme, but also seriously consider their operational approach to data.

“What we found is that having gone through that process, it was still the case when we were going through the GDPR readiness programme ourselves that we were forced to think more in terms of business requirements and business risk, whereas Cyber Essentials leaves you thinking very much about technical controls and technical risk,” he says.

“You'll be thinking about kind of firewall do I need, or do I need a firewall or do I need a patching regime so that I'm regularly patching all my systems, which is great and that's all good stuff, but organisations need to take the next step of maturity, which is a high-level conversation around the business processes.

“What are relevant risks to the different processes, what countermeasures do we have in place for each of those risks, if any, and if not, are we happy that we own that residual risk, is that reflective of our risk appetite, of our risk culture? You really need to have a mature approach to this, I believe, you need not to just get stuck at the technical controls.”

Roaming with data: the role of encryption in GDPR

Of course, while there is a strong business process aspect to GDPR, there remains an important technical element to regulatory compliance, particularly around encryption.

“There is a responsibility on businesses under GDPR to ensure that they are adequately protecting a range of information, but particularly personally identifiable information. Now GDPR obviously goes far broader than that, but that is primarily where the relevance of encryption is,” says Parsons.

“Within all of that you will identify the need to protect data, and the role that encryption primarily has here is where that data is at most risk.”

Across many businesses, portable devices are now used to access data from any number of locations, from public transport and eateries to hotels and homes. And it is this widespread practice that many businesses will need to ensure is protected with adequate security measures.

“If your processes allow data to leave your organisation either physically or electronically then you increase the risk to the data,” he explains. “An example of that would be an end-user device, a laptop, or a phone, or a tablet or some form of computing device on which data resides.

“The loss of that device would compromise the personally identifiable information that you have, unless you have an appropriate technical control in place and in that example that means encryption.

“So protecting data within the organisation doesn't necessarily have to come down to encryption, there are a number of ways that you can do it, but once you ship that data outside on media such as a laptop, then really the safest way to do that is to encrypt it, and the process of encryption is effectively transforming the data, the personal data, into something that's unreadable, unaccessible by anyone other than the individual that's authorised, or the individuals that are authorised, to see that data.”

“Protecting data within the organisation doesn't necessarily have to come down to encryption, but once you ship that data outside on media such as a laptop, then really the safest way to do that is to encrypt it.”

This area, for which Becrypt provides a number of software solutions, is important, because it can often represent a weak link in data management, making it an area in which unwary businesses easily fail to live up to the requirements of GDPR.

“In the case of a laptop, if you've got log-on credentials then by definition you are authorised to see it, but if you lose a laptop on a train or anywhere else, the person that comes across it doesn't have the logon credentials and cannot therefore gain access to any of the encrypted data,” he says.

“That effectively transforms the loss of a laptop from potential loss of data to becoming just a loss of a physical asset and you're avoiding a data breach. Yes, there has been a security incident that would need to be appropriately audited, but that is not a data breach. If the data has been encrypted, and if you can demonstrate that you know it is encrypted, then it just becomes a physical loss of an asset.”

Not the end of the road for data regulation

While many are currently looking to GDPR as the ultimate monolith of data regulation, Parsons does not believe that this will be the final form of such legislation, despite him expecting it to improve the security of data among businesses.

“I think we will see more regulation over time,” he says. “We've seen this comment from the government itself that prior to regulation the market has shown that it can't really self-organise; it hasn't got the appropriate levers. Those levers don't exist automatically within the market for organisations to invest sufficiently in cybersecurity and in the corresponding culture in order to appropriately protect data.”

This need for regulation is also supported by Becrypt’s own experiences.

“That's the position that I agree with, it's what we as an organisation see,” he says. “The evidence that we have is that we sell both into regulated and unregulated markets, obviously government for some time has been regulated and actually we saw big change in government regulation related to data encryption back in 2008, there was a data-handling review, and that had a big impact within government on the adoption of encryption and the protection of data.

“So there is evidence of the impact that regulation can have, and so I think we will see a step in the right direction with GDPR, but I don't think that that will be the end game. I think there will need to be more scrutiny placed certain parts of the regulation and how it applies to certain industries over time.”

PR nightmares: Ten of the worst corporate data breaches

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang

LinkedIn, 2012

Hackers sold name and password info for more than 117 million accounts

Target, 2013

The personal and financial information of 110 million customers was exposed

JP Morgan, 2014

One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m

Home Depot, 2014

Hackers stole email and credit card data from more than 50 million customers

Sony, 2014

Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un

Hilton Hotels, 2015

Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data

TalkTalk, 2015

The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen

Tesco, 2016

Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts

Swift, 2016

Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve

Chipotle, 2017

Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang